The Information Commissioner’s Office has been all over the news this week suggesting consumers should be wary about sharing data with venues via fast-ordering apps. And quite right too really: often the sign-up process is cumbersome and the data that is being requested isn’t relevant.
As a personal point of view, I wanted to buy a couple of pints in a Young’s pub recently. There was no table or bar service, so I had to use the app. To order two drinks meant having to create an account which meant sharing an email address and password. Was that really needed to just buy two pints of (admittedly very nice) beer?
Is there a downside?
On the other hand, can we fault Young’s, and the other companies who are doing this, for taking an opportunity to gather some very useful data for their business? The UK’s four biggest pub chains, who represent a quarter of the market – Wetherspoons, Greene King, Mitchells, and Butlers & Stonegate – all now have their own in-house apps and say they have seen huge growth during the pandemic.
This means that they are building lists of customers using their pubs, and in many cases getting consent for contact at the same time (to be fair to Young’s their contact consent process was very clear and not essential for me to do before I could buy my beer). Which is ironic given the media coverage Wetherspoons gained when it deleted its entire email list pre-GDPR.
As ever, this is a conversation ultimately about balance. The ICO is spot on to issue a warning. There really shouldn’t be a necessity in using an app to order food or drink from now on so if you are worried about your personal data and how it is being used, then don’t do it.
However, many of us see a convenience in using an app. If, during that process, we are happy to set up an account to make repeat ordering easier, then that seems fair.
If we also want to hear about offers and promotions, or even information about the places we visit, then consenting to communications also seems fair – as long as none of this is done as a condition of purchase. Be sensible, be wary but also share your data with the brands you trust and want to engage with.
You’ve got data: what next?
Which brings us to another point. Now all these companies have gathered lots of data – and let’s assume fairly and transparently – what are they going to do with it and how are they going to keep it up to date?
GDPR isn’t just about protecting consumer data when it is being gathered, it is also about how it is stored, how it is kept clean and fresh and then how it is used and managed. All of these companies who are gathering data for the first time need to also be aware of the obligations they now have to look after our personal details and then how to delete it when it is no longer of use.
The ICO is correct in warning consumers to be wary about who they share their data with. The regulator should also be warning the companies gathering the data to be careful about what they do with it.